From e674fc8205dc539c91fe5622eeabf25f57f812df Mon Sep 17 00:00:00 2001 From: YannGarcia Date: Fri, 13 Aug 2021 10:46:15 +0200 Subject: [PATCH] Finalyze implementation of new TPs from ETSI TS 103 525-2 V1.2.4 (2021-10) --- etc/AtsPki/AtsPki.cfg | 8 +- ttcn/AtsPki/ItsPki_TestCases.ttcn | 268 ++++++++++++++++++++++++++++-- ttcn/LibIts | 2 +- 3 files changed, 266 insertions(+), 12 deletions(-) diff --git a/etc/AtsPki/AtsPki.cfg b/etc/AtsPki/AtsPki.cfg index b47f7e69..5aeb2997 100644 --- a/etc/AtsPki/AtsPki.cfg +++ b/etc/AtsPki/AtsPki.cfg @@ -236,7 +236,13 @@ system.httpTlmPort.params := "HTTP(codecs=http_its:http_etsi_ieee1609dot2_codec) # Check that all PSID entries of the appPermissions component of the certificate are unique #ItsPki_TestCases.TC_SECPKI_CA_CERTGEN_14_BV # Check that all PSID entries of the appPermissions component of the certificate are also contained in the certIssuePermissions component in the issuing certificate -ItsPki_TestCases.TC_SECPKI_CA_CERTGEN_15_BV +#ItsPki_TestCases.TC_SECPKI_CA_CERTGEN_15_BV +# Check that all PSID entries of the certIssuePermissions component of the certificate are unique +#ItsPki_TestCases.TC_SECPKI_CA_CERTGEN_16_BV +# Check that SSP field in each entry of the appPermissions component of the AT certificate is equal to or a subset of the SSP Range in the corresponding issuing entry +ItsPki_TestCases.TC_SECPKI_CA_CERTGEN_17_BV +# Check that the validityPeriod of the subordinate certificate is inside the validityPeriod of the issuing certificate +#ItsPki_TestCases.TC_SECPKI_CA_CERTGEN_18_BV [MAIN_CONTROLLER] # The options herein control the behavior of MC. diff --git a/ttcn/AtsPki/ItsPki_TestCases.ttcn b/ttcn/AtsPki/ItsPki_TestCases.ttcn index 533ffd30..19d009a9 100644 --- a/ttcn/AtsPki/ItsPki_TestCases.ttcn +++ b/ttcn/AtsPki/ItsPki_TestCases.ttcn @@ -2745,7 +2745,7 @@ module ItsPki_TestCases { // Test control if (not PICS_IUT_CA_ROLE and not PICS_SEC_SHA256 and not PICS_SEC_BRAINPOOL_P256R1 and not PICS_SEC_BRAINPOOL_P384R1) { - log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1) required for executing the TC ***"); + log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1 required for executing the TC ***"); setverdict(inconc); stop; } @@ -3232,7 +3232,7 @@ module ItsPki_TestCases { // Test control if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) and not PICS_SEC_SHA256 and not PICS_SEC_BRAINPOOL_P256R1 and not PICS_SEC_BRAINPOOL_P384R1) { - log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1) required for executing the TC ***"); + log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1 required for executing the TC ***"); setverdict(inconc); stop; } @@ -3300,7 +3300,7 @@ module ItsPki_TestCases { // Test control if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) and not PICS_SEC_SHA256 and not PICS_SEC_BRAINPOOL_P256R1 and not PICS_SEC_BRAINPOOL_P384R1) { - log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1) required for executing the TC ***"); + log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1 required for executing the TC ***"); setverdict(inconc); stop; } @@ -3369,7 +3369,7 @@ module ItsPki_TestCases { // Test control if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) and not PICS_SEC_SHA256 and not PICS_SEC_BRAINPOOL_P256R1) { - log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1) required for executing the TC ***"); + log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 required for executing the TC ***"); setverdict(inconc); stop; } @@ -3446,7 +3446,7 @@ module ItsPki_TestCases { // Test control if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) and not PICS_SEC_SHA256 and not PICS_SEC_BRAINPOOL_P256R1 and not PICS_SEC_BRAINPOOL_P384R1) { - log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1) required for executing the TC ***"); + log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1 required for executing the TC ***"); setverdict(inconc); stop; } @@ -3523,7 +3523,7 @@ module ItsPki_TestCases { // Test control if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) and not PICS_SEC_SHA256 and not PICS_SEC_BRAINPOOL_P256R1 and not PICS_SEC_BRAINPOOL_P384R1) { - log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1) required for executing the TC ***"); + log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1 required for executing the TC ***"); setverdict(inconc); stop; } @@ -3591,8 +3591,8 @@ module ItsPki_TestCases { var Certificate v_root_certificate; // Test control - if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) and not PICS_SEC_SHA256 and not PICS_SEC_BRAINPOOL_P256R1 and not PICS_SEC_BRAINPOOL_P384R1) { - log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1) required for executing the TC ***"); + if (not PICS_IUT_CA_ROLE) { + log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } @@ -3677,8 +3677,8 @@ module ItsPki_TestCases { var Certificate v_root_certificate; // Test control - if ((not PICS_IUT_CA_ROLE) or not(PICS_SEC_EXPLICIT_CERTIFICATES) and not PICS_SEC_SHA256 and not PICS_SEC_BRAINPOOL_P256R1 and not PICS_SEC_BRAINPOOL_P384R1) { - log("*** " & testcasename() & ": PICS_IUT_CA_ROLE and PICS_SEC_EXPLICIT_CERTIFICATES and (PICS_SEC_SHA256 or PICS_SEC_BRAINPOOL_P256R1 or PICS_SEC_BRAINPOOL_P384R1) required for executing the TC ***"); + if (not PICS_IUT_CA_ROLE) { + log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***"); setverdict(inconc); stop; } @@ -3715,6 +3715,254 @@ module ItsPki_TestCases { } // End of testcase TC_SECPKI_CA_CERTGEN_15_BV + /** + * @desc Check that all PSID entries of the certIssuePermissions component of the certificate are unique + * 
+     * Pics Selection: PICS_IUT_CA_ROLE
+     * Initial conditions: 
+     *     with {
+     *         CA is in 'operational' state
+     *     }
+     * Expected behaviour:
+     *     ensure that {
+     *         when {
+     *             the CA issued the certificate
+     *                 containing toBeSigned
+     *                     containing certIssuePermissions
+     *         }
+     *         then {
+     *             this certificate is of type EtsiTs103097Certificate
+     *                 containing issuer
+     *                     containing toBeSigned
+     *                         containing certIssuePermissions
+     *                             containing items of type PsidGroupPermissions
+     *                                 containing subjectPermissions
+     *                                     containing explicit
+     *                                     and containing items of type PsidSspRange
+     *                                         containing psid
+     *                                             indicating unique values in this sequence
+     *         }
+     *     }
+     *
+ * + * @see ETSI TS 103 525-2 v1.1.4 SECPKI_CA_CERTGEN_16_BV + * @reference ETSI TS 103 097 [1], clauses 6.4.28, 5.1.2.4 + */ + testcase TC_SECPKI_CA_CERTGEN_16_BV() runs on ItsMtc system ItsPkiHttpSystem { + // Local variables + var integer v_result; + var Certificate v_root_certificate; + + // Test control + if (not PICS_IUT_CA_ROLE) { + log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***"); + setverdict(inconc); + stop; + } + + // Test component configuration + f_connect4SelfOrClientSync(); + + // Test adapter configuration + if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) { + log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***"); + stop; + } + + // Preamble + v_result := f_get_root_ca_certificate(-, -, v_root_certificate); + if (v_result == -1) { + log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); + f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); + } else { + f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); + } + + // Test Body + if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, -, -, true) == false) { + log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); + f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); + } else { + log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); + f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); + } + + // Postamble + f_disconnect4SelfOrClientSync(); + + } // End of testcase TC_SECPKI_CA_CERTGEN_16_BV + + /** + * @desc Check that SSP field in each entry of the appPermissions component of the AT certificate is equal to or a subset of the SSP Range in the corresponding issuing entry + * 
+     * Pics Selection: PICS_IUT_CA_ROLE
+     * Initial conditions: 
+     *     with {
+     *         CA is in 'operational' state
+     *     }
+     * Expected behaviour:
+     *     ensure that {
+     *         when {
+     *             the CA issued the certificate
+     *                 containing toBeSigned
+     *                     containing certIssuePermissions
+     *         }
+     *         then {
+     *             this certificate is of type EtsiTs103097Certificate
+     *                 containing issuer
+     *                     referenced to the certificate
+     *                         containing toBeSigned
+     *                             containing certIssuePermissions
+     *                                 containing items of type PsidGroupPermissions
+     *                                       containing eeType
+     *                                         indicating app(0)
+     *                                       and containing subjectPermissions
+     *                                         containing explicit
+     *                                             containing items of type PsidSspRange
+     *                                                 containing psid
+     *                                                     indicating X_PSID_AA
+     *                                                 containing sspRange
+     *                                                     indicating X_SSP_AA [ X_PSID_AA ]
+     *                                             or containing all
+     *                 and containing toBeSigned
+     *                         containing appPermissions
+     *                             containing items of type PsidSsp
+     *                                 containing psid
+     *                                     indicating value equal to X_PSID_AA
+     *                                 containing ssp
+     *                                     indicating value permitted by X_SSP_AA [ X_PSID_AA ]
+     *         }
+     *     }
+     *
+ * + * @see ETSI TS 103 525-2 v1.1.4 SECPKI_CA_CERTGEN_17_BV + * @reference ETSI TS 103 097 [1], clauses 6.4.28, 5.1.2.4 + */ + testcase TC_SECPKI_CA_CERTGEN_17_BV() runs on ItsMtc system ItsPkiHttpSystem { + // Local variables + var integer v_result; + var Certificate v_root_certificate; + + // Test control + if (not PICS_IUT_CA_ROLE) { + log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***"); + setverdict(inconc); + stop; + } + + // Test component configuration + f_connect4SelfOrClientSync(); + + // Test adapter configuration + if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) { + log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***"); + stop; + } + + // Preamble + v_result := f_get_root_ca_certificate(-, -, v_root_certificate); + if (v_result == -1) { + log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); + f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); + } else { + f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); + } + + // Test Body + if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, -, -, -, true) == false) { + log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); + f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); + } else { + log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); + f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); + } + + // Postamble + f_disconnect4SelfOrClientSync(); + + } // End of testcase TC_SECPKI_CA_CERTGEN_17_BV + + /** + * @desc Check that the validityPeriod of the subordinate certificate is inside the validityPeriod of the issuing certificate + * 
+     * Pics Selection: PICS_IUT_CA_ROLE
+     * Initial conditions: 
+     *     with {
+     *         CA is in 'operational' state
+     *         and the CA is authorized with CA certificate
+     *             containing toBeSigned
+     *                 containing validityPeriod
+     *                     containing start
+     *                         indicating X_START_VALIDITY_CA
+     *                     containing duration
+     *                         indicating X_DURATION_CA
+     *     }
+     * Expected behaviour:
+     *     ensure that {
+     *         when {
+     *             the CA issued the certificate
+     *                 containing toBeSigned
+     *                     containing certIssuePermissions
+     *         }
+     *         then {
+     *             this certificate is of type EtsiTs103097Certificate
+     *                 containing toBeSigned
+     *                     containing validityPeriod
+     *                         containing start
+     *                             indicating X_START_VALIDITY ( X_START_VALIDITY >= X_START_VALIDITY_CA )
+     *                         and containing duration
+     *                             indicating value <= X_START_VALIDITY_CA + X_DURATION_CA - X_START_VALIDITY
+     *         }
+     *     }
+     *
+ * + * @see ETSI TS 103 525-2 v1.1.4 SECPKI_CA_CERTGEN_18_BV + * @reference ETSI TS 103 097 [1], clauses 6.4.28, 5.1.2.4 + */ + testcase TC_SECPKI_CA_CERTGEN_18_BV() runs on ItsMtc system ItsPkiHttpSystem { + // Local variables + var integer v_result; + var Certificate v_root_certificate; + + // Test control + if (not PICS_IUT_CA_ROLE) { + log("*** " & testcasename() & ": PICS_IUT_CA_ROLE required for executing the TC ***"); + setverdict(inconc); + stop; + } + + // Test component configuration + f_connect4SelfOrClientSync(); + + // Test adapter configuration + if (not f_loadCertificates(PX_IUT_SEC_CONFIG_NAME) ) { + log("*** INFO: TEST CASE NOW STOPPING ITSELF! ***"); + stop; + } + + // Preamble + v_result := f_get_root_ca_certificate(-, -, v_root_certificate); + if (v_result == -1) { + log("*** " & testcasename() & ": INCONC: Fail to retrive the RCA ***"); + f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout); + } else { + f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success); + } + + // Test Body + if (f_verify_rca_certificate(-, v_root_certificate, -, -, -, -, -, -, -, true) == false) { + log("*** " & testcasename() & ": FAIL: Failed to verify RCA message ***"); + f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error); + } else { + log("*** " & testcasename() & ": PASS: ToBeSignedRcaCtl received ***"); + f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success); + } + + // Postamble + f_disconnect4SelfOrClientSync(); + + } // End of testcase TC_SECPKI_CA_CERTGEN_18_BV + } // End of group ca_behaviour group ea_behavior { diff --git a/ttcn/LibIts b/ttcn/LibIts index 4edb6ec9..c17c78b9 160000 --- a/ttcn/LibIts +++ b/ttcn/LibIts @@ -1 +1 @@ -Subproject commit 4edb6ec912770497eb6fc19cb6ea066914b443cf +Subproject commit c17c78b974373442b1e1f5ebe17779d1440b8155 -- GitLab