Newer
Older
Yann Garcia
committed
4001
4002
4003
4004
4005
4006
4007
4008
4009
4010
4011
4012
4013
4014
4015
4016
4017
4018
4019
4020
4021
4022
4023
4024
4025
4026
4027
4028
4029
4030
4031
4032
4033
4034
4035
4036
4037
4038
4039
4040
4041
4042
4043
4044
4045
4046
4047
4048
4049
4050
4051
4052
4053
4054
4055
4056
4057
4058
4059
4060
4061
4062
4063
4064
4065
4066
4067
4068
4069
4070
4071
4072
4073
4074
4075
4076
4077
4078
4079
4080
4081
4082
4083
4084
4085
4086
4087
4088
4089
4090
4091
4092
4093
4094
4095
4096
4097
4098
4099
4100
4101
4102
4103
4104
4105
4106
4107
4108
4109
4110
4111
4112
4113
4114
4115
4116
4117
4118
4119
4120
4121
4122
4123
4124
4125
4126
4127
4128
4129
4130
4131
4132
4133
4134
4135
4136
4137
4138
4139
4140
4141
4142
4143
4144
4145
4146
4147
4148
4149
4150
4151
4152
4153
4154
4155
4156
4157
4158
4159
4160
4161
4162
4163
4164
4165
4166
4167
4168
4169
4170
4171
4172
4173
4174
4175
4176
4177
4178
4179
4180
4181
4182
4183
4184
4185
4186
4187
4188
4189
4190
4191
4192
4193
4194
4195
4196
4197
4198
4199
4200
4201
4202
4203
4204
4205
4206
4207
4208
4209
4210
4211
4212
4213
4214
4215
4216
4217
4218
4219
4220
4221
4222
4223
4224
4225
4226
4227
4228
4229
4230
4231
4232
4233
alt {
[] a_await_at_http_response_from_iut(
mw_http_request(
mw_http_request_post(
PICS_HTTP_POST_URI_AT,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(vc_aaHashedId8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
tc_ac.stop;
// Verify IUT response
f_verify_http_at_request_from_iut_itss(v_request.request, v_request.headers, v_inner_at_request, v_response, v_result);
// Send response
if (isvalue(v_response)) {
httpPort.send(v_response);
}
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": LOG: ", match(v_generated_keys, superset(v_inner_at_request.publicKeys.verificationKey)), "***");
if (match(v_generated_keys, superset(v_inner_at_request.publicKeys.verificationKey))) {
v_generated_keys[v_counter] := v_inner_at_request.publicKeys.verificationKey;
v_counter := v_counter + 1;
f_selfOrClientSyncAndVerdictTestBody(c_prDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Duplication of generated public keys ***");
f_selfOrClientSyncAndVerdict(c_prDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify EA an EnrolmentRequestMessage ***");
f_selfOrClientSyncAndVerdict(c_prDone, e_error);
}
}
[] tc_ac.timeout {
if (v_counter == PX_RE_AUTHORIZATION_COUNTER) {
log("*** " & testcasename() & ": PASS: InnerAtRequest received with different key pairs ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
}
} // End of 'alt' statement
*/
// Postamble
f_cfHttpDown();
} // End of function f_TC_SECPKI_ITSS_AUTH_04_BV_pki
} // End of group f_TC_SECPKI_ITSS_AUTH_04_BV
/**
* @desc Check that the Authozation request protocol version is set to 1.
* <pre>
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION
* Initial conditions:
* with {
* the IUT being in the "operational state"
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to requested a new Authorization Ticket (AT)
* }
* then {
* the IUT sends EtsiTs103097Data to the AA
* containing version
* indicating value 1
* and containing content
* containing autihorizationRequest
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_05_BV
* @reference ETSI TS 102 941 [2], clause 6.2.3.3.1
*/
testcase TC_SECPKI_ITSS_AUTH_05_BV() runs on ItsMtc system ItsPkiItssSystem {
// Local variables
var ItsPkiItss v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) {
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp01(v_itss, v_ea);
// Start component
v_itss.start(f_TC_SECPKI_ITSS_AUTH_01_BV_itss());
v_ea.start(f_TC_SECPKI_ITSS_AUTH_01_BV_pki());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
// Cleanup
f_cfMtcDown01(v_itss, v_ea);
} // End of testcase TC_SECPKI_ITSS_AUTH_05_BV
/**
* @desc Check that for each authorization request the ITS-S generates a new verification key pair
* Check that for each authorization request the ITS-S generates a new encryption key pair
* Check that for each authorization request the ITS-S generates a new hmac-key
* <pre>
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION
* Initial conditions:
* with {
* the IUT in 'enrolled' state
* the IUT being in the "operational state"
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to request new Authorization Ticket (AT)
* }
* then {
* the IUT sends a EtsiTs103097Data to the AA
* containing EtsiTs102941Data
* containing authorizationRequest
* containing publicKeys
* containing verificationKey
* indicating value not equal to the field verificationKey of N previous messages
* and not containing encryptionKey
* or containing encryptionKey
* indicating value not equal to the field encryptionKey of N previous messages
* and containing hmacKey
* indicating value not equal to the field hmacKey of N previous messages
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_06_BV
* @reference ETSI TS 102 941 [2], clause 6.2.3.3.1
*/
testcase TC_SECPKI_ITSS_AUTH_06_BV() runs on ItsMtc system ItsPkiItssSystem {
// Local variables
var ItsPkiItss v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) {
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp01(v_itss, v_ea);
// Start component
v_itss.start(f_TC_SECPKI_ITSS_AUTH_06_BV_itss());
v_ea.start(f_TC_SECPKI_ITSS_AUTH_06_BV_pki());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
// Cleanup
f_cfMtcDown01(v_itss, v_ea);
} // End of testcase TC_SECPKI_ITSS_AUTH_06_BV
group f_TC_SECPKI_ITSS_AUTH_06_BV {
function f_TC_SECPKI_ITSS_AUTH_06_BV_itss() runs on ItsPkiItss system ItsPkiItssSystem {
// Local variables
var HashedId8 v_certificate_digest := int2oct(0, 8);
var EtsiTs103097Certificate v_certificate;
// Test component configuration
f_cfUp_itss();
// Test adapter configuration
// Preamble
// First enrolment
geoNetworkingPort.clear;
tc_ac.start;
alt {
[] a_await_cam_with_current_cert(v_certificate) {
tc_ac.stop;
if (PX_TRIGGER_EC_BEFORE_AT) {
f_sendUtTriggerEnrolmentRequestPrimitive();
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
}
}
[] geoNetworkingPort.receive(
mw_geoNwInd(
mw_geoNwSecPdu(
mw_etsiTs103097Data_signed
))) {
repeat;
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected CA message not received ***");
f_selfOrClientSyncAndVerdict(c_prDone, e_timeout);
}
} // End of 'alt' statement
// Test Body
// N authorization
for (var integer v_i := 0; v_i < PX_RE_AUTHORIZATION_COUNTER; v_i := v_i + 1) {
f_sendUtTriggerAuthorizationRequestPrimitive();
f_sleep(PX_RE_AUTHORIZATION_DELAY);
} // End of 'for' statement
log("*** " & testcasename() & ": PASS: Enrolment trigger sent succesfully ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
// Postamble
f_cfDown_itss();
} // End of function f_TC_SECPKI_ITSS_AUTH_04_BV_itss
function f_TC_SECPKI_ITSS_AUTH_06_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
// Local variable
var Headers v_headers;
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_init_default_headers_list(-, "inner_at_response", v_headers);
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
Yann Garcia
committed
// Test body
// Wait for the first authorization response
for (var integer v_i := 0; v_i < PX_RE_AUTHORIZATION_COUNTER; v_i := v_i + 1) {
var HttpMessage v_request;
var HttpMessage v_response;
var InnerAtResponse v_inner_at_response;
var ListOfPublicVerificationKey v_generated_keys;
var ListOfPublicEncryptionKey v_enc_keys;
var ListofHmacKey v_hmac_keys;
var InnerAtRequest v_inner_at_request;
var InnerEcResponse v_inner_ec_response;
var integer v_result;
var PublicVerificationKey v_key;
var PublicEncryptionKey v_enc_key;
var Oct32 v_hmac_key;
Yann Garcia
committed
// Verify IUT response
f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_response.certificate, v_inner_at_request, v_inner_at_response, v_response, v_result);
if(v_result != 0){
log("*** " & testcasename() & ": ERROR: AT request receiving error ***");
setverdict(inconc);
f_clientSync(c_nextTry, e_error);
}
v_key := v_inner_at_request.publicKeys.verificationKey;
Yann Garcia
committed
if (isbound(v_generated_keys) and match(v_generated_keys, superset(v_key))) {
log("*** " & testcasename() & ": LOG: ", match(v_generated_keys, superset(v_key)), "***");
log("*** " & testcasename() & ": FAIL: Duplication of generated verification keys ***");
setverdict(fail);
f_clientSync(c_nextTry, e_error);
Yann Garcia
committed
}
Yann Garcia
committed
v_enc_key := v_inner_at_request.publicKeys.encryptionKey;
Yann Garcia
committed
if (isbound(v_enc_key) and match(v_enc_keys, superset(v_enc_key))) {
log("*** " & testcasename() & ": LOG: ", match(v_enc_keys, superset(v_enc_key)), "***");
log("*** " & testcasename() & ": FAIL: Duplication of generated encryption keys ***");
setverdict(fail);
f_clientSync(c_nextTry, e_error);
}
v_enc_keys[v_i] := v_enc_key;
Yann Garcia
committed
v_hmac_key := v_inner_at_request.hmacKey;
if (isbound(v_hmac_keys) and match(v_hmac_keys, superset(v_hmac_key))) {
log("*** " & testcasename() & ": LOG: ", match(v_hmac_keys, superset(v_hmac_key)), "***");
log("*** " & testcasename() & ": FAIL: Duplication of generated hmac keys ***");
setverdict(fail);
f_clientSync(c_nextTry, e_error);
Yann Garcia
committed
}
v_hmac_keys[v_i] := v_hmac_key;
f_clientSync(c_nextTry, e_success);
}
log("*** " & testcasename() & ": PASS: No identical keys received in " & int2str(PX_RE_AUTHORIZATION_COUNTER) & " messages ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
Yann Garcia
committed
4294
4295
4296
4297
4298
4299
4300
4301
4302
4303
4304
4305
4306
4307
4308
4309
4310
4311
4312
4313
4314
4315
4316
4317
4318
4319
4320
4321
4322
4323
4324
4325
4326
4327
4328
4329
4330
4331
4332
4333
4334
4335
4336
4337
4338
4339
4340
4341
4342
4343
4344
4345
4346
4347
4348
4349
4350
4351
4352
4353
4354
4355
4356
4357
4358
4359
4360
4361
4362
4363
4364
4365
4366
4367
4368
4369
4370
4371
4372
4373
4374
4375
4376
4377
4378
4379
4380
4381
4382
4383
4384
4385
4386
4387
4388
4389
4390
4391
4392
4393
4394
4395
4396
4397
4398
4399
4400
4401
4402
4403
4404
4405
4406
4407
4408
4409
4410
4411
4412
4413
4414
4415
4416
4417
4418
4419
4420
4421
4422
4423
4424
4425
4426
4427
4428
4429
4430
4431
4432
4433
4434
4435
4436
4437
4438
4439
4440
4441
4442
4443
4444
4445
4446
4447
4448
4449
4450
4451
4452
4453
4454
4455
4456
4457
4458
4459
4460
4461
4462
4463
4464
// Postamble
f_cfHttpDown();
} // End of function f_TC_SECPKI_ITSS_AUTH_06_BV_pki
} // End of group f_TC_SECPKI_ITSS_AUTH_06_BV
/**
* @desc Check that ITS-S sends Authorization request with a keyTag field computed as described in ETSI TS 102 941 [1], clause 6.2.3.3.1
* <pre>
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION
* Initial conditions:
* with {
* the IUT in 'enrolled' state
* the IUT being in the "operational state"
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to request a new Authorization Ticket (AT)
* }
* then {
* the IUT sends a EtsiTs103097Data to the AA
* containing EtsiTs102941Data
* containing authorizationRequest
* containing sharedAtRequest
* containing keyTag
* indicating properly calculated value
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_07_BV
* @reference ETSI TS 102 941 [2], clause 6.2.3.3.1
*/
testcase TC_SECPKI_ITSS_AUTH_07_BV() runs on ItsMtc system ItsPkiItssSystem {
// Local variables
var ItsPkiItss v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) {
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp01(v_itss, v_ea);
// Start component
v_itss.start(f_TC_SECPKI_ITSS_AUTH_01_BV_itss());
v_ea.start(f_TC_SECPKI_ITSS_AUTH_01_BV_pki());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
// Cleanup
f_cfMtcDown01(v_itss, v_ea);
} // End of testcase TC_SECPKI_ITSS_AUTH_07_BV
/**
* @desc Check that ITS-S sends Authorization request with eaId of EA certificate
* <pre>
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION
* Initial conditions:
* with {
* the IUT is enrolled by the EC, signed with the CERT EA certificate
* the IUT being in the "operational" state
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to request new Authorization Ticket (AT)
* }
* then {
* the IUT sends a EtsiTs103097Data to the AA
* containing EtsiTs102941Data
* containing authorizationRequest
* containing sharedAtRequest
* containing eaId
* indicating HashedId8 of CERT_ EA certificate
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_08_BV
* @reference ETSI TS 102 941 [2], clause 6.2.3.3.1
*/
testcase TC_SECPKI_ITSS_AUTH_08_BV() runs on ItsMtc system ItsPkiItssSystem {
// Local variables
var ItsPkiItss v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) {
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp01(v_itss, v_ea);
// Start component
v_itss.start(f_TC_SECPKI_ITSS_AUTH_01_BV_itss());
v_ea.start(f_TC_SECPKI_ITSS_AUTH_08_BV_pki());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
// Cleanup
f_cfMtcDown01(v_itss, v_ea);
} // End of testcase TC_SECPKI_ITSS_AUTH_08_BV
group f_TC_SECPKI_ITSS_AUTH_08_BV {
function f_TC_SECPKI_ITSS_AUTH_08_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
// Local variable
var Headers v_headers;
var HttpMessage v_request;
var InnerEcResponse v_inner_ec_response;
var InnerEcRequest v_inner_ec_request;
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_init_default_headers_list(-, "inner_at_response", v_headers);
if (PX_TRIGGER_EC_BEFORE_AT) {
if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
} else {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
}
} else {
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
}
// Test Body
tc_ac.start;
alt {
[] a_await_at_http_request_from_iut(
mw_http_request(
mw_http_request_post(
PICS_HTTP_POST_URI_AT,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_aaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
var HttpMessage v_response;
var integer v_result;
var InnerAtRequest v_inner_at_request;
var InnerAtResponse v_inner_at_response;
tc_ac.stop;
// Verify IUT response
f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_response.certificate, v_inner_at_request, v_inner_at_response, v_response, v_result);
log("f_TC_SECPKI_ITSS_AUTH_08_BV_pki: v_result: ", v_result);
log("f_TC_SECPKI_ITSS_AUTH_08_BV_pki: v_response: ", v_response);
Yann Garcia
committed
var charstring v_ea_certificate_id := "CERT_TS_A_EA";
Yann Garcia
committed
var HashedId8 v_ea_certificate_hashed_id8;
var EtsiTs103097Certificate v_ea_certificate;
// Calculate the HashedId8 of CERT_ EA certificate
var HashAlgorithm hash := f_getHashAlgorithm(v_ea_certificate.issuer)
if (hash == sha256){
f_getCertificateHash256(v_ea_certificate_id, v_hash);
v_ea_certificate_hashed_id8 := f_hashedId8FromSha256(v_hash);
log("*** " & testcasename() & ": DEBUG: v_ea_certificate_hashed_id8= ", v_ea_certificate_hashed_id8);
} else if (hash == sha384) {
v_hash := f_hashWithSha384(bit2oct(encvalue(v_ea_certificate)));
v_ea_certificate_hashed_id8 := f_hashedId8FromSha384(v_hash);
log("*** " & testcasename() & ": DEBUG: v_ea_certificate_hashed_id8= ", v_ea_certificate_hashed_id8);
}
Yann Garcia
committed
// Set verdict
if (v_result == 0) {
var octetstring v_msg;
var octetstring v_hashed_id8;
Yann Garcia
committed
log("*** " & testcasename() & ": PASS: InnerAtResponse received ***");
if(ispresent(v_inner_at_request.sharedAtRequest.eaId)){
if (match(v_inner_at_request.sharedAtRequest.eaId, v_ea_certificate_hashed_id8) == true) {
Yann Garcia
committed
v_msg := bit2oct(encvalue(v_inner_at_response.certificate));
if (ischosen(v_inner_at_response.certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1)) {
v_hashed_id8 := f_hashedId8FromSha384(f_hashWithSha384(v_msg));
} else {
v_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg));
}
infoPort.send(InfoPortData : { hashed_id8 := v_hashed_id8, at_certificate := v_inner_at_response.certificate });
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: eaId is not equal to the EA_CERT HashedId8 ***");
Yann Garcia
committed
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: Can't parse authorization request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}}}
Yann Garcia
committed
4511
4512
4513
4514
4515
4516
4517
4518
4519
4520
4521
4522
4523
4524
4525
4526
4527
4528
4529
4530
4531
4532
4533
4534
4535
4536
4537
4538
4539
4540
4541
4542
4543
4544
4545
4546
4547
4548
4549
4550
4551
4552
4553
4554
4555
4556
4557
4558
4559
4560
4561
4562
4563
4564
4565
4566
4567
4568
4569
4570
4571
4572
4573
4574
4575
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of function f_TC_SECPKI_ITSS_AUTH_08_BV_pki
} // End of group f_TC_SECPKI_ITSS_AUTH_08_BV
/**
* @desc Check that ITS-S sends Authorization request with the certificateFormat equal to 1
* <pre>
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION
* Initial conditions:
* with {
* the IUT in 'enrolled' state
* and the AA in 'operational' state
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to request new Authorization Ticket (AT)
* }
* then {
* the IUT sends a EtsiTs103097Data to the AA
* containing EtsiTs102941Data
* containing authorizationRequest
* containing sharedAtRequest
* containing certificateFormat
* indicating 1
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_09_BV
* @reference ETSI TS 102 941 [2], clause 6.2.3.3.1
*/
testcase TC_SECPKI_ITSS_AUTH_09_BV() runs on ItsMtc system ItsPkiItssSystem {
// Local variables
var ItsPkiItss v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) {
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp01(v_itss, v_ea);
// Start component
v_itss.start(f_TC_SECPKI_ITSS_AUTH_01_BV_itss());
v_ea.start(f_TC_SECPKI_ITSS_AUTH_09_BV_pki());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
// Cleanup
f_cfMtcDown01(v_itss, v_ea);
} // End of testcase TC_SECPKI_ITSS_AUTH_09_BV
Yann Garcia
committed
4577
4578
4579
4580
4581
4582
4583
4584
4585
4586
4587
4588
4589
4590
4591
4592
4593
4594
4595
4596
4597
4598
4599
4600
4601
4602
4603
4604
4605
4606
4607
4608
4609
4610
4611
4612
4613
4614
4615
4616
4617
4618
4619
4620
4621
4622
4623
4624
4625
4626
4627
4628
4629
4630
4631
group f_TC_SECPKI_ITSS_AUTH_09_BV {
function f_TC_SECPKI_ITSS_AUTH_09_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
// Local variable
var Headers v_headers;
var HttpMessage v_request;
var InnerEcResponse v_inner_ec_response;
var InnerEcRequest v_inner_ec_request;
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_init_default_headers_list(-, "inner_at_response", v_headers);
if (PX_TRIGGER_EC_BEFORE_AT) {
if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
} else {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
}
} else {
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
}
// Test Body
tc_ac.start;
alt {
[] a_await_at_http_request_from_iut(
mw_http_request(
mw_http_request_post(
PICS_HTTP_POST_URI_AT,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_aaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
var HttpMessage v_response;
var integer v_result;
var InnerAtRequest v_inner_at_request;
var InnerAtResponse v_inner_at_response;
tc_ac.stop;
// Verify IUT response
f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_response.certificate, v_inner_at_request, v_inner_at_response, v_response, v_result);
log("f_TC_SECPKI_ITSS_AUTH_09_BV_pki: v_result: ", v_result);
log("f_TC_SECPKI_ITSS_AUTH_09_BV_pki: v_response: ", v_response);
Yann Garcia
committed
// Set verdict
if (v_result == 0) {
var octetstring v_msg;
var octetstring v_hashed_id8;
Yann Garcia
committed
if(ispresent(v_inner_at_request.sharedAtRequest.certificateFormat)){
if (v_inner_at_request.sharedAtRequest.certificateFormat == 1) {
Yann Garcia
committed
log("*** " & testcasename() & ": PASS: InnerAtResponse received ***");
v_msg := bit2oct(encvalue(v_inner_at_response.certificate));
if (ischosen(v_inner_at_response.certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1)) {
v_hashed_id8 := f_hashedId8FromSha384(f_hashWithSha384(v_msg));
} else {
v_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg));
}
infoPort.send(InfoPortData : { hashed_id8 := v_hashed_id8, at_certificate := v_inner_at_response.certificate });
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: certificateFormat is not equal to 1 ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
Yann Garcia
committed
}
} else {
log("*** " & testcasename() & ": FAIL: Can't parse authorization request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}}}
Yann Garcia
committed
4660
4661
4662
4663
4664
4665
4666
4667
4668
4669
4670
4671
4672
4673
4674
4675
4676
4677
4678
4679
4680
4681
4682
4683
4684
4685
4686
4687
4688
4689
4690
4691
4692
4693
4694
4695
4696
4697
4698
4699
4700
4701
4702
4703
4704
4705
4706
4707
4708
4709
4710
4711
4712
4713
4714
4715
4716
4717
4718
4719
4720
4721
4722
4723
4724
4725
4726
4727
4728
4729
4730
4731
4732
4733
4734
4735
4736
4737
4738
4739
4740
4741
4742
4743
4744
4745
4746
4747
4748
4749
4750
4751
4752
4753
4754
4755
4756
4757
4758
4759
4760
4761
4762
4763
4764
4765
4766
4767
4768
4769
4770
4771
4772
4773
4774
4775
4776
4777
4778
4779
4780
4781
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of function f_TC_SECPKI_ITSS_AUTH_09_BV_pki
} // End of group f_TC_SECPKI_ITSS_AUTH_09_BV
/**
* @desc Check that ITS-S sends Authorization request certificate attributes are properly set
* <pre>
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION
* Initial conditions:
* with {
* the IUT in 'enrolled' state
* and the AA in 'operational' state
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to request new Authorization Ticket (AT)
* }
* then {
* the IUT sends a EtsiTs103097Data to the AA
* containing EtsiTs102941Data
* containing authorizationRequest
* containing sharedAtRequest
* containing requestedSubjectAttributes
* containing appPermissions
* and not containing certIssuePermissions
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_10_BV
* @reference ETSI TS 102 941 [2], clause 6.2.3.3.1
*/
testcase TC_SECPKI_ITSS_AUTH_10_BV() runs on ItsMtc system ItsPkiItssSystem {
// Local variables
var ItsPkiItss v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) {
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp01(v_itss, v_ea);
// Start component
v_itss.start(f_TC_SECPKI_ITSS_AUTH_01_BV_itss());
v_ea.start(f_TC_SECPKI_ITSS_AUTH_10_BV_pki());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
// Cleanup
f_cfMtcDown01(v_itss, v_ea);
} // End of testcase TC_SECPKI_ITSS_AUTH_08_BV
group f_TC_SECPKI_ITSS_AUTH_10_BV {
function f_TC_SECPKI_ITSS_AUTH_10_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
// Local variable
var Headers v_headers;
var HttpMessage v_request;
var InnerEcResponse v_inner_ec_response;
var InnerEcRequest v_inner_ec_request;
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_init_default_headers_list(-, "inner_at_response", v_headers);
if (PX_TRIGGER_EC_BEFORE_AT) {
if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
} else {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
}
} else {
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
}
// Test Body
tc_ac.start;
alt {
[] a_await_at_http_request_from_iut(
mw_http_request(
mw_http_request_post(
PICS_HTTP_POST_URI_AT,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_aaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
var HttpMessage v_response;
var integer v_result;
var InnerAtRequest v_inner_at_request;
var InnerAtResponse v_inner_at_response;
tc_ac.stop;
// Verify IUT response
f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_inner_ec_response.certificate, v_inner_at_request, v_inner_at_response, v_response, v_result);
log("f_TC_SECPKI_ITSS_AUTH_10_BV_pki: v_result: ", v_result);
log("f_TC_SECPKI_ITSS_AUTH_10_BV_pki: v_response: ", v_response);
Yann Garcia
committed
// Set verdict
if (v_result == 0) {
var octetstring v_msg;
var octetstring v_hashed_id8;
Yann Garcia
committed
log("*** " & testcasename() & ": PASS: InnerAtResponse received ***");
if(ispresent(v_inner_at_request.sharedAtRequest.requestedSubjectAttributes.appPermissions)){
if (not(ispresent(v_inner_at_request.sharedAtRequest.requestedSubjectAttributes.certIssuePermissions))) {
Yann Garcia
committed
v_msg := bit2oct(encvalue(v_inner_at_response.certificate));
if (ischosen(v_inner_at_response.certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1)) {
v_hashed_id8 := f_hashedId8FromSha384(f_hashWithSha384(v_msg));
} else {
v_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg));
}
infoPort.send(InfoPortData : { hashed_id8 := v_hashed_id8, at_certificate := v_inner_at_response.certificate });
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: certIssuePermissions are present ***");
Yann Garcia
committed
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: Can't parse authorization request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}}}
Yann Garcia
committed
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of function f_TC_SECPKI_ITSS_AUTH_10_BV_pki
} // End of group f_TC_SECPKI_ITSS_AUTH_10_BV
4823
4824
4825
4826
4827
4828
4829
4830
4831
4832
4833
4834
4835
4836
4837
4838
4839
4840
4841
4842
4843
4844
4845
4846
4847
4848
4849
4850
4851
4852
4853
4854
4855
4856
4857
4858
4859
4860
4861
4862
4863
4864
4865
4866
4867
4868
4869
4870
4871
4872
4873
4874
4875
4876
4877
4878
4879
4880
4881
4882
4883
4884
4885
4886
4887
4888
4889
4890
4891
4892
4893
4894
4895
4896
4897
4898
4899
4900
4901
4902
4903
4904
4905
4906
4907
4908
4909
4910
4911
4912
4913
4914
4915
4916
4917
4918
4919
4920
4921
4922
4923
4924
4925
4926
4927
4928
4929
4930
4931
4932
4933
4934
4935
4936
4937
4938
4939
4940
4941
4942
4943
4944
4945
4946
4947
4948
4949
4950
4951
4952
4953
4954
4955
4956
4957
4958
4959
4960
4961
4962
4963
4964
4965
4966
4967
4968
4969
4970
4971
4972
4973
4974
4975
4976
4977
4978
4979
4980
4981
4982
4983
4984
4985
4986
4987
4988
4989
4990
4991
4992
4993
4994
4995
4996
4997
4998
4999
5000
/**
* @desc Check that ITS-S sends Authorization request containing EC signature
* Check that the EC signature of the Authorization request contains valid hash algorithm
* Check that the ecSignature DataHash is calculated over the sharedATRequest
* <pre>
* Pics Selection: PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION
* Initial conditions:
* with {
* the IUT in 'enrolled' state
* and the AA in 'operational' state
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT is triggered to request new Authorization Ticket (AT)
* }
* then {
* the IUT sends a EtsiTs103097Data to the AA
* containing EtsiTs102941Data
* containing authorizationRequest
* containing ecSignature
* containing structure of type EtsiTs103097Data-SignedExternalPayload
* containing hashId
* indicating supported hash algorithm (HASH_ALG)
* and containing tbsData
* containing payload
* containing extDataHash
* indicating hash of sharedATRequest using HASH_ALG
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_ITSS_AUTH_11_BV
* @reference ETSI TS 102 941 [2], clause 6.2.3.3.1
*/
testcase TC_SECPKI_ITSS_AUTH_11_BV() runs on ItsMtc system ItsPkiItssSystem {
// Local variables
var ItsPkiItss v_itss;
var ItsPkiHttp v_ea;
// Test control
if (not PICS_IUT_ITS_S_ROLE or not PICS_SECPKI_AUTHORIZATION) {
log("*** " & testcasename() & ": PICS_IUT_ITS_S_ROLE and PICS_SECPKI_AUTHORIZATION required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfMtcUp01(v_itss, v_ea);
// Start component
v_itss.start(f_TC_SECPKI_ITSS_AUTH_01_BV_itss());
v_ea.start(f_TC_SECPKI_ITSS_AUTH_11_BV_pki());
// Synchronization
f_serverSync2ClientsAndStop({c_prDone, c_tbDone});
// Cleanup
f_cfMtcDown01(v_itss, v_ea);
} // End of testcase TC_SECPKI_ITSS_AUTH_11_BV
group f_TC_SECPKI_ITSS_AUTH_11_BV {
function f_TC_SECPKI_ITSS_AUTH_11_BV_pki() runs on ItsPkiHttp system ItsPkiItssSystem {
// Local variable
var Headers v_headers;
var HttpMessage v_request;
var InnerEcRequest v_inner_ec_request;
var InnerEcResponse v_inner_ec_response;
var template (omit) EtsiTs103097Certificate v_ec_cert := omit;
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID, PICS_TS_AA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_init_default_headers_list(-, "inner_at_response", v_headers);
if (PX_TRIGGER_EC_BEFORE_AT) {
if (f_await_ec_request_send_response(v_inner_ec_request, v_inner_ec_response, v_request) == true) {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
} else {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
}
} else {
f_selfOrClientSyncAndVerdict(c_prDone, e_success);
}
// Test Body
tc_ac.start;
alt {
[] a_await_at_http_request_from_iut(
mw_http_request(
mw_http_request_post(
PICS_HTTP_POST_URI_AT,
-,
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentRequestMessage(
mw_encryptedData(
{ *, mw_recipientInfo_certRecipInfo(mw_pKRecipientInfo(vc_aaHashedId8)), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_request
) {
var HttpMessage v_response;
var integer v_result;
var InnerAtRequest v_inner_at_request;
var InnerAtResponse v_inner_at_response;
var Ieee1609Dot2Data v_ieee1609dot2_data_ecsig;
var octetstring v_hash_shared_at_request;
var Ieee1609Dot2Data v_ieee1609dot2_data;
tc_ac.stop;
// Verify IUT response
f_verify_http_at_request_from_iut_itss(v_request.request, v_headers, v_ec_cert, v_inner_at_request, v_inner_at_response, v_response, v_result);
log("f_TC_SECPKI_ITSS_AUTH_11_BV_pki: v_result: ", v_result);
log("f_TC_SECPKI_ITSS_AUTH_11_BV_pki: v_response: ", v_response);
// Set verdict
if (v_result == 0) {
var octetstring v_msg;
var octetstring v_hashed_id8;
log("*** " & testcasename() & ": PASS: InnerAtResponse received ***");
v_msg := bit2oct(encvalue(v_inner_at_response.certificate));
if (ischosen(v_inner_at_response.certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1)) {
v_hashed_id8 := f_hashedId8FromSha384(f_hashWithSha384(v_msg));
} else {
v_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg));
}
if (not match(v_inner_at_request.ecSignature, mw_ec_signature_ext_payload)){
log("*** " & testcasename() & ": FAIL: SignedExternalPayload does not exist ***");
log("*** " & testcasename() & ": FAIL: ", match(v_inner_at_request.ecSignature, mw_ec_signature_ext_payload));
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
v_ieee1609dot2_data_ecsig := v_inner_at_request.ecSignature.ecSignature;
if(not(ispresent(v_ieee1609dot2_data_ecsig.content.signedData.hashId))){
log("*** " & testcasename() & ": FAIL: AT request shall contain hashId ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
if(not(ispresent(v_ieee1609dot2_data.content.signedData.tbsData.payload))) {
log("*** " & testcasename() & ": FAIL: AT request shall contain tbsData ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
if(ispresent(v_ieee1609dot2_data.content.signedData.tbsData.payload.extDataHash)) {
var HashAlgorithm hash := v_ieee1609dot2_data_ecsig.content.signedData.hashId;
if (hash == sha256) {
// Calculate the hash of the SharedAtRequest
v_hash_shared_at_request := f_hashWithSha256(bit2oct(encvalue(v_inner_at_request.sharedAtRequest)));
if(match(v_ieee1609dot2_data.content.signedData.tbsData.payload.extDataHash.sha256HashedData, v_hash_shared_at_request)){
infoPort.send(InfoPortData : { hashed_id8 := v_hashed_id8, at_certificate := v_inner_at_response.certificate });
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
}
} else if (hash == sha384) {
// Calculate the hash of the SharedAtRequest
v_hash_shared_at_request := f_hashWithSha384(bit2oct(encvalue(v_inner_at_request.sharedAtRequest)));
if(match(v_ieee1609dot2_data.content.signedData.tbsData.payload.extDataHash.sha384HashedData, v_hash_shared_at_request)){
infoPort.send(InfoPortData : { hashed_id8 := v_hashed_id8, at_certificate := v_inner_at_response.certificate });
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: AT request shall contain extDataHash ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
} else {
log("*** " & testcasename() & ": FAIL: Can't parse authorization request ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}}}}