Newer
Older
mw_signedData(
sha256,
mw_toBeSignedData,
m_signerIdentifier_digest(vc_eaHashedId8)
)))))),
v_response
) {
tc_ac.stop;
log("*** " & testcasename() & ": PASS: Signed message received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
12012
12013
12014
12015
12016
12017
12018
12019
12020
12021
12022
12023
12024
12025
12026
12027
12028
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_01_BV
/**
* @desc Check that the butterfly authorization respond message, sent by EA, contains all necessary fields
* <pre>
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the ITS-S in 'enrolled' state
* Expected behaviour:
* ensure that {
* when {
* the IUT receives a ButterflyAuthorizationRequestMessage message (REQ)
* }
* then {
* the IUT send to the ITS-S a ButterflyAuthorizationResponseMessage
* containing butterflyCertificateResponse
* containing RaEeCertInfo
* containing version
* indicating 2
* and containing generationTime
* indicating value between REQ_TIME and the current time
* and containing currentI
* and containing requestHash
* indicating the left-most 16 octets of the SHA256 digest of the REQ
* and containing nextDlTime
* and not containing acpcTreeId
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_02_BV
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.3
*/
testcase TC_SECPKI_EA_BFK_AUTH_02_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var octetstring v_private_key_ec;
var octetstring v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var HashedId8 v_ec_cert_hashed_id8;
var InnerEcResponse v_inner_ec_response;
var octetstring v_caterpillar_private_key;
var octetstring v_caterpillar_public_key_compressed;
var integer v_caterpillar_compressed_mode;
Yann Garcia
committed
var octetstring v_caterpillar_enc_private_key;
var octetstring v_caterpillar_enc_public_key_compressed;
var integer v_caterpillar_enc_compressed_mode;
12070
12071
12072
12073
12074
12075
12076
12077
12078
12079
12080
12081
12082
12083
12084
12085
12086
12087
12088
12089
12090
12091
12092
12093
12094
var EeRaCertRequest v_ee_ra_cert_request;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
// Trigger an enrolment request
if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_ec_cert_hashed_id8, v_inner_ec_response, -, true) == false) {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: = ", v_private_key_ec);
// Generate an ButterflyAutorizationRequest
f_http_build_butterfly_authorization_request_message(v_private_key_ec, v_ec_cert_hashed_id8, v_caterpillar_private_key, v_caterpillar_public_key_compressed, v_caterpillar_compressed_mode, v_caterpillar_enc_private_key, v_caterpillar_enc_public_key_compressed, v_caterpillar_enc_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash, v_ee_ra_cert_request);
log("*** " & testcasename() & ": DEBUG: v_ee_ra_cert_request= ", v_ee_ra_cert_request);
log("*** " & testcasename() & ": DEBUG: v_caterpillar_private_key= ", v_caterpillar_private_key);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "bfk_auth_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterflyAuthorizationResponseMessage(
mw_signedData(
sha256,
mw_toBeSignedData,
m_signerIdentifier_digest(vc_eaHashedId8)
)))))),
v_response
) {
tc_ac.stop;
var octetstring v_tbs := bit2oct(encvalue(v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.tbsData));
if (f_verifyEcdsa(v_tbs, vc_eaWholeHash256, v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.signature_, vc_eaCertificate.toBeSigned.verifyKeyIndicator.verificationKey) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify signature message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
var bitstring v_etsi_ts_102941_data_content_msg := oct2bit(v_response.response.body.binary_body.ieee1609dot2_data.content.signedData.tbsData.payload.data.content.unsecuredData);
var EtsiTs102941MessagesCa.EtsiTs102941Data v_etsi_ts_102941_data;
if (decvalue(v_etsi_ts_102941_data_content_msg, v_etsi_ts_102941_data) != 0) {
log("*** " & testcasename() & ": FAIL: Failed to decode message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": DBG: v_etsi_ts_102941_data: ", v_etsi_ts_102941_data);
log("*** " & testcasename() & ": INFO: match ", match(v_etsi_ts_102941_data.content, mw_butterflyAuthorizationResponse(mw_ra_ee_cert_info)), " ***"); // TODO In TITAN, this is the only way to get the unmatching in log
if (not(match(v_etsi_ts_102941_data.content, mw_butterflyAuthorizationResponse(mw_ra_ee_cert_info)))) {
log("*** " & testcasename() & ": FAIL: Unexpected message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log("*** " & testcasename() & ": PASS: ButterflyAuthorizationResponseMessage received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
}
12162
12163
12164
12165
12166
12167
12168
12169
12170
12171
12172
12173
12174
12175
12176
12177
12178
12179
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_02_BV
} // End of group bfk_auth_response
group bfk_cert_request {
Yann Garcia
committed
group bfk_auth_request_helpers {
function f_trigger_butterfly_authorization_request(
out HashedId8 p_aes_sym_key_hashed_id8,
out EeRaCertRequest p_ee_ra_cert_request
) runs on ItsPkiHttp {
// Local variables
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcResponse v_inner_ec_response;
var octetstring v_caterpillar_private_key;
var octetstring v_caterpillar_public_key_compressed;
var integer v_caterpillar_compressed_mode;
Yann Garcia
committed
var octetstring v_caterpillar_enc_private_key;
var octetstring v_caterpillar_enc_public_key_compressed;
var integer v_caterpillar_enc_compressed_mode;
var octetstring v_private_key;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Trigger an enrolment request
/*if (f_await_http_inner_ec_request_response(v_private_key_ec, v_public_compressed_key_ec, v_compressed_key_mode_ec, v_inner_ec_response) == false) {
log("*** " & testcasename() & ": INCONC: Enrolment failed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_timeout);
} else {
log("*** " & testcasename() & ": INFO: Enrolment succeed ***");
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
}
log("*** " & testcasename() & ": DEBUG: v_inner_ec_response= ", v_inner_ec_response);
log("*** " & testcasename() & ": DEBUG: v_private_key_ec= ", v_private_key_ec);
f_http_build_butterfly_authorization_request_message(v_private_key_ec, v_ec_cert_hash_256, v_caterpillar_private_key, v_caterpillar_public_key_compressed, v_caterpillar_compressed_mode, v_caterpillar_enc_private_key, v_caterpillar_enc_public_key_compressed, v_caterpillar_enc_compressed_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash, p_ee_ra_cert_request);
p_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "bfk_auth_request", v_headers);
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
12232
12233
12234
12235
12236
12237
12238
12239
12240
12241
12242
12243
12244
12245
12246
12247
12248
} // End of function f_trigger_butterfly_authorization_request
function f_verify_http_butterfly_cert_request_message_from_aa(
in Request p_request,
in Headers p_headers,
in boolean p_checked_cocoon_keys_derivation := false,
in template (omit) octetstring p_caterpilar_compressed_key := omit,
out integer p_result,
out RaAcaCertRequest p_butterflyCertificateRequest,
out HttpMessage p_response
) runs on ItsPkiHttp {
// Local variables
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var template (value) HttpMessage v_response;
var Oct16 v_request_hash;
var Oct16 v_aes_enc_key;
log(">>> f_verify_http_butterfly_cert_request_message_from_aa: ", p_request);
p_result := 0;
if (f_verify_pki_request_message(vc_aaPrivateEncKey, vc_aaWholeHash/*salt*/, ''O, p_request.body.binary_body.ieee1609dot2_data, true, v_request_hash, v_bfk_hashed_id8, v_etsi_ts_102941_data, v_aes_enc_key) == false) { // Cannot decrypt the message
// Send error message
v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message
// Set verdict
p_result := -1;
} else {
var UInt64 v_current_time := f_getCurrentTimeUtc();
var UInt64 v_delta_time := 30;
Yann Garcia
committed
12265
12266
12267
12268
12269
12270
12271
12272
12273
12274
12275
12276
12277
12278
12279
12280
12281
12282
12283
12284
12285
12286
12287
12288
12289
12290
12291
log("f_verify_http_butterfly_cert_request_message_from_aa: match ", match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_request(mw_ra_aca_cert_request))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_request(mw_ra_aca_cert_request((v_current_time - v_delta_time .. v_current_time + v_delta_time), explicit, '00000000'B/*butterflyExplicit*/, mw_bfk_to_be_signed_certificate))) == false) {
// Send error message
v_response := m_http_response(m_http_response_ko_no_body(p_headers, 400, "Bad request")); // Initialize v_reponse with an error message
// Set verdict
p_result := -2;
} else {
if (p_checked_cocoon_keys_derivation == true) {
// FIXME FSCOM if (f_check_cocoon_keys_derivation(v_etsi_ts_102941_data.content.butterflyCertificateRequest.tbsCert.verifyKeyIndicator, ))
} else {
var AcaRaCertResponse v_aca_ra_cert_response;
var HashedId8 v_hashedId8;
var octetstring v_msg := bit2oct(encvalue(p_request.body.binary_body.ieee1609dot2_data));
v_hashedId8 := f_hashedId8FromSha256(f_hashWithSha256(v_msg));
f_http_build_butterfly_cert_response(v_hashedId8, vc_eaPrivateKey, vc_eaWholeHash, v_aes_enc_key, v_aca_ra_cert_response, v_ieee1609dot2_signed_and_encrypted_data);
v_response := m_http_response(m_http_response_ok(m_http_message_body_binary(m_binary_body_ieee1609dot2_data(v_ieee1609dot2_signed_and_encrypted_data)), p_headers));
p_butterflyCertificateRequest := v_etsi_ts_102941_data.content.butterflyCertificateRequest;
}
}
}
p_response := valueof(v_response);
log("<<< f_verify_http_butterfly_cert_request_message_from_aa: p_response: ", p_response);
log("<<< f_verify_http_butterfly_cert_request_message_from_aa: p_result: ", p_result);
} // End of function f_verify_http_butterfly_cert_request_message_from_aa
Yann Garcia
committed
} // End of group bfk_auth_request_helpers
/**
* @desc Check that the EA sends butterfly certificate request message after receiving of the butterfly authorization request
* Check that this message is encrypted for the AA
* Check that this message is signed with the EA certificate
* <pre>
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the AA is emulated by TS and
* authorized with CERT_AA certificate
* and EA is configured to use emulated AA to generate certificates
12306
12307
12308
12309
12310
12311
12312
12313
12314
12315
12316
12317
12318
12319
12320
12321
12322
12323
12324
12325
12326
12327
12328
12329
12330
12331
12332
12333
12334
12335
12336
12337
12338
12339
12340
* Expected behaviour:
* ensure that {
* when {
* the IUT received the ButterflyAuthorizationRequestMessage
* containing EtsiTs102941Data
* containing content.butterflyAuthorizationRequest
* }
* then {
* the IUT sends a EtsiTs103097Data to the AA
* containing content.encryptedData
* containing recipients
* indicating size 1
* and containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* indicating HashedId8 of the CERT_AA
* and containing encrypted representation of EtsiTs103097Data
* containing signedData
* containing tbsData
* containing headerInfo
* containing psid
* indicating AID_PKI_CERT_REQUEST
* and containing payload.data
* containing EtsiTs102941Data
* containing version
* indicating ‘1’
* and containing content
* containing butterflyCertificateRequest
* and containing signer
* containing digest
* indicating HashedId8 of the CERT_EA
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_03_BV
12342
12343
12344
12345
12346
12347
12348
12349
12350
12351
12352
12353
12354
12355
12356
12357
12358
12359
12360
12361
12362
12363
12364
12365
12366
12367
12368
12369
12370
12371
12372
12373
12374
12375
12376
12377
12378
12379
12380
12381
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.4
*/
testcase TC_SECPKI_EA_BFK_AUTH_03_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var boolean v_received_butterfly_authorization_response := false;
var boolean v_tb_done := false;
var HashedId8 v_aes_sym_key_hashed_id8;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var integer v_result;
var EeRaCertRequest v_ee_ra_cert_request;
var RaAcaCertRequest v_butterflyCertificateRequest;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_authorization_request(v_aes_sym_key_hashed_id8, v_ee_ra_cert_request);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpAtVPort.receive(
mw_http_request(
mw_http_request_post(
-, // URI
v_headers, // Headers
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterflyCertRequestMessage(
mw_encryptedData
12384
12385
12386
12387
12388
12389
12390
12391
12392
12393
12394
12395
12396
12397
12398
12399
12400
12401
12402
12403
12404
12405
12406
12407
12408
12409
12410
12411
12412
12413
12414
12415
12416
12417
12418
12419
12420
12421
12422
12423
12424
12425
12426
12427
12428
12429
12430
12431
12432
12433
12434
12435
12436
12437
12438
)))))) -> value v_request {
tc_ac.stop;
f_verify_http_butterfly_cert_request_message_from_aa(v_request.request, v_headers, -, -, v_result, v_butterflyCertificateRequest, v_response);
// Send response forcing error code
if (isvalue(v_response)) {
httpPort.send(v_response);
}
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: ButterflyCertRequestMessage received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify ButterflyCertRequestMessage ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
v_tb_done := true;
if (v_received_butterfly_authorization_response == false) {
log("*** " & testcasename() & ": INFO: ButterflyAuthorizationResponse not received yet ***");
tc_ac.start;
repeat;
}
}
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (v_tb_done == false) {
v_received_butterfly_authorization_response := true;
tc_ac.start;
repeat;
} // else, end on the test case
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_03_BV
/**
* @desc Check that the butterfly certificate request message sent by EA to AA contains all required elements
* <pre>
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the EA already received the ButterflyAuthorizationRequestMessage
* indicating the sha256 message hash MSG_HASH
* and the EA already responded with ButterflyAuthorizationResponseMessage
* containing EtsiTs102941Data
* containing butterflyAuthorizationResponse
* containing nextDlTime
* indicating DNL_TIME
12452
12453
12454
12455
12456
12457
12458
12459
12460
12461
12462
12463
12464
12465
12466
12467
12468
12469
12470
12471
12472
12473
12474
12475
12476
12477
12478
12479
12480
* Expected behaviour:
* ensure that {
* when {
* the IUT received the ButterflyAtDownloadRequestMessage
* containing EtsiTs102941Data
* containing butterflyAtDownloadRequest
* containing EeRaCertRequest
* containing generationTime
* indicating REQ_TIME
* }
* then {
* the IUT sends to the AA the ButterflyCertRequestMessage
* containing EtsiTs102941Data
* containing content
* containing butterflyCertificateRequest
* containing RaAcaCertRequest
* containing version
* indicating 2
* and containing generationTime
* indicating value between REQ_TIME and the current time
* and containing flags
* indicating empty bit string
* and containing certEncKey
* and containing tbsCert
* and not containing linkageInfo
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_04_BV
12482
12483
12484
12485
12486
12487
12488
12489
12490
12491
12492
12493
12494
12495
12496
12497
12498
12499
12500
12501
12502
12503
12504
12505
12506
12507
12508
12509
12510
12511
12512
12513
12514
12515
12516
12517
12518
12519
12520
12521
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.4
*/
testcase TC_SECPKI_EA_BFK_AUTH_04_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var boolean v_received_butterfly_authorization_response := false;
var boolean v_tb_done := false;
var HashedId8 v_aes_sym_key_hashed_id8;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var integer v_result;
var EeRaCertRequest v_ee_ra_cert_request;
var RaAcaCertRequest v_butterflyCertificateRequest;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_authorization_request(v_aes_sym_key_hashed_id8, v_ee_ra_cert_request);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpAtVPort.receive(
mw_http_request(
mw_http_request_post(
-, // URI
v_headers, // Headers
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterflyCertRequestMessage(
mw_encryptedData
12524
12525
12526
12527
12528
12529
12530
12531
12532
12533
12534
12535
12536
12537
12538
12539
12540
12541
12542
12543
12544
12545
12546
12547
12548
12549
12550
12551
12552
12553
12554
12555
12556
12557
12558
12559
12560
12561
12562
12563
12564
12565
12566
12567
12568
12569
12570
12571
12572
12573
12574
12575
12576
12577
12578
12579
12580
12581
12582
12583
12584
12585
12586
12587
)))))) -> value v_request {
tc_ac.stop;
f_verify_http_butterfly_cert_request_message_from_aa(v_request.request, v_headers, -, -, v_result, v_butterflyCertificateRequest, v_response);
// TODO Check v_butterflyCertificateRequest
// FIXME Some check can be moved to f_verify_http_butterfly_cert_request_message_from_aa
// Send response forcing error code
if (isvalue(v_response)) {
httpPort.send(v_response);
}
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: ButterflyCertRequestMessage received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify ButterflyCertRequestMessage ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
v_tb_done := true;
if (v_received_butterfly_authorization_response == false) {
log("*** " & testcasename() & ": INFO: ButterflyAuthorizationResponse not received yet ***");
tc_ac.start;
repeat;
}
}
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (v_tb_done == false) {
v_received_butterfly_authorization_response := true;
tc_ac.start;
repeat;
} // else, end on the test case
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_04_BV
/**
* @desc Check that the butterfly certificate request message contains expanded cocoon key
* <pre>
* Pics Selection: PICS_IUT_EA_ROLE
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the AA in 'operational' state
* authorized with CERT_AA certificate
* and EA is configured to use AA of the current configuration to generate certificates
12593
12594
12595
12596
12597
12598
12599
12600
12601
12602
12603
12604
12605
12606
12607
12608
12609
12610
12611
12612
12613
12614
12615
12616
12617
* Initial conditions:
* Expected behaviour:
* ensure that {
* when {
* the IUT received the ButterflyAuthorizationRequestMessage
* containing EtsiTs102941Data
* containing content.butterflyAuthorizationRequest
* containing EeRaCertRequest
* containing tbsCert (TBS_CERT)
* containing verification key (CATERPILLAR_KEY)
* }
* then {
* the IUT sends to the AA the ButterflyCertRequestMessage
* containing EtsiTs102941Data
* containing content
* containing butterflyCertificateRequest
* containing RaAcaCertRequest
* containing tbsCert
* containing verificationKey
* containing “cocoon” key
* derived from the CATERPILLAR_KEY
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_05_BV
12619
12620
12621
12622
12623
12624
12625
12626
12627
12628
12629
12630
12631
12632
12633
12634
12635
12636
12637
12638
12639
12640
12641
12642
12643
12644
12645
12646
12647
12648
12649
12650
12651
12652
12653
12654
12655
12656
12657
12658
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.4
*/
testcase TC_SECPKI_EA_BFK_AUTH_05_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var boolean v_received_butterfly_authorization_response := false;
var boolean v_tb_done := false;
var HashedId8 v_aes_sym_key_hashed_id8;
var Headers v_headers;
var HttpMessage v_request;
var HttpMessage v_response;
var integer v_result;
var EeRaCertRequest v_ee_ra_cert_request;
var RaAcaCertRequest v_butterflyCertificateRequest;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_authorization_request(v_aes_sym_key_hashed_id8, v_ee_ra_cert_request);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
tc_ac.start;
alt {
[] httpAtVPort.receive(
mw_http_request(
mw_http_request_post(
-, // URI
v_headers, // Headers
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterflyCertRequestMessage(
mw_encryptedData
12661
12662
12663
12664
12665
12666
12667
12668
12669
12670
12671
12672
12673
12674
12675
12676
12677
12678
12679
12680
12681
12682
12683
12684
12685
12686
12687
12688
12689
12690
12691
12692
12693
12694
12695
12696
12697
12698
12699
12700
12701
12702
12703
12704
12705
12706
12707
12708
12709
12710
12711
12712
12713
12714
12715
12716
12717
12718
12719
12720
12721
12722
12723
)))))) -> value v_request {
tc_ac.stop;
f_verify_http_butterfly_cert_request_message_from_aa(v_request.request, v_headers, true, -, v_result, v_butterflyCertificateRequest, v_response);
// Send response forcing error code
if (isvalue(v_response)) {
httpPort.send(v_response);
}
// Set verdict
if (v_result == 0) {
log("*** " & testcasename() & ": PASS: ButterflyCertRequestMessage received ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Failed to verify ButterflyCertRequestMessage ***");
f_selfOrClientSyncAndVerdict(c_tbDone, e_error);
}
v_tb_done := true;
if (v_received_butterfly_authorization_response == false) {
log("*** " & testcasename() & ": INFO: ButterflyAuthorizationResponse not received yet ***");
tc_ac.start;
repeat;
}
}
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_enrolmentResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (v_tb_done == false) {
v_received_butterfly_authorization_response := true;
tc_ac.start;
repeat;
} // else, end on the test case
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_05_BV
} // End of group bfk_cert_request
group bfk_auth_cert_download {
/**
* @desc Check that the butterfly certificate request message sent by EA to AA contains all required elements
* <pre>
* Pics Selection: PICS_IUT_EA_ROLE
* Initial conditions:
* the EA in 'operational' state
* authorized with CERT_EA certificate
* and the EA already responded with ButterflyAuthorizationResponseMessage (MSG_RESPONSE)
* containing EtsiTs102941Data
* containing butterflyAuthorizationResponse
* containing nextDlTime
* indicating DNL_TIME
* and containing currentI
* indicating I_VALUE
* and containing requestHash
* indicating MSG_HASH
* and the EA already received from emullated AA one or more ButterflyCertResponse messages
* containing AcaEeCertResponsePrivateSpdu (CERT_RESPONSE)
12737
12738
12739
12740
12741
12742
12743
12744
12745
12746
12747
12748
12749
12750
12751
12752
12753
12754
12755
12756
12757
12758
* Expected behaviour:
* ensure that {
* when {
* the IUT received the ButterflyAtDownloadRequestMessage
* containing EtsiTs102941Data
* containing butterflyAtDownloadRequest
* indicating EeRaDownloadRequest
* containing generationTime
* indicating DNL_TIME + 1
* and containing filename
* indicating MSG_HASH + “_” + hex(I_VALUE) + ".zip"
* }
* then {
* the IUT sends the requested batch of certificates
* containing file hex(I_VALUE) + “.info”
* indicating COER encoding of MSG_RESPONSE
* and containing a set of files hex(I_VALUE) + “_” + (0..N)
* indicating COER encoding of AcaEeCertResponsePrivateSpdu (CERT_RESPONSE)
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 TP SECPKI_EA_BFK_AUTH_06_BV
* @reference ETSI TS 102 941 [1], clause 6.2.3.5.1, 6.2.3.5.3
12761
12762
12763
12764
12765
12766
12767
12768
12769
12770
12771
12772
12773
12774
12775
12776
12777
12778
12779
12780
12781
12782
12783
12784
12785
12786
12787
12788
12789
12790
12791
12792
12793
12794
12795
12796
12797
12798
12799
12800
12801
12802
12803
12804
12805
12806
12807
12808
12809
12810
12811
12812
12813
12814
*/
testcase TC_SECPKI_EA_BFK_AUTH_06_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
// Local variables
var octetstring v_private_key;
var Oct32 v_request_hash;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EeRaCertRequest v_ee_ra_cert_request;
var EtsiTs102941Data v_etsi_ts_102941_data;
// Test control
if (not PICS_IUT_EA_ROLE) {
log("*** " & testcasename() & ": PICS_IUT_EA_ROLE required for executing the TC ***");
setverdict(inconc);
stop;
}
// Test component configuration
f_cfHttpUp(PICS_TS_EA_CERTIFICATE_ID);
// Test adapter configuration
// Preamble
f_trigger_butterfly_authorization_request(v_aes_sym_key_hashed_id8, v_ee_ra_cert_request);
f_http_build_butterfly_at_download_request_message(""/*FIXME FSCOM*/, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, v_salt, v_ieee1609dot2_signed_and_encrypted_data, v_request_hash);
v_aes_sym_key_hashed_id8 := f_hashedId8FromSha256(f_hashWithSha256('80'O & v_aes_sym_key)); // Used to match the response
f_init_default_headers_list(-, "bfk_at_download_request", v_headers);
f_selfOrClientSyncAndVerdictPreamble(c_prDone, e_success);
// Test Body
f_http_send(
v_headers,
m_http_request(
m_http_request_post(
PICS_HTTP_POST_URI_EC,
v_headers,
m_http_message_body_binary(
m_binary_body_ieee1609dot2_data(
v_ieee1609dot2_signed_and_encrypted_data
)))));
tc_ac.start;
alt {
[] a_await_ec_http_response_from_iut(
mw_http_response(
mw_http_response_ok(
mw_http_message_body_binary(
mw_binary_body_ieee1609dot2_data(
mw_butterflyCertResponseMessage(
mw_encryptedData(
{ *, mw_recipientInfo_pskRecipInfo(v_aes_sym_key_hashed_id8), * },
mw_symmetricCiphertext_aes128ccm
)))))),
v_response
) {
tc_ac.stop;
if (f_verify_pki_response_message(v_private_key, v_aes_sym_key, v_authentication_vector, vc_eaWholeHash, v_response.response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
log("*** " & testcasename() & ": FAIL: Failed to verify PKI message ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
} else {
log(match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_response(mw_ra_aca_cert_response)));
if (match(v_etsi_ts_102941_data, mw_etsiTs102941Data_ra_aca_cert_response(mw_ra_aca_cert_response)) == true) {
12830
12831
12832
12833
12834
12835
12836
12837
12838
12839
12840
12841
12842
12843
12844
12845
12846
12847
12848
12849
12850
12851
12852
12853
12854
12855
12856
12857
12858
12859
12860
12861
12862
12863
12864
12865
12866
12867
12868
12869
12870
12871
12872
12873
12874
12875
12876
12877
12878
12879
12880
12881
12882
12883
12884
12885
12886
12887
12888
12889
12890
12891
12892
12893
12894
12895
12896
12897
12898
12899
12900
12901
12902
12903
12904
12905
12906
12907
12908
12909
12910
12911
12912
12913
12914
12915
12916
12917
12918
12919
12920
12921
12922
12923
12924
12925
12926
12927
12928
12929
12930
12931
12932
12933
12934
12935
12936
12937
12938
12939
12940
12941
12942
12943
12944
12945
12946
12947
12948
12949
12950
12951
12952
12953
12954
12955
12956
12957
12958
12959
12960
12961
12962
12963
12964
12965
12966
12967
12968
12969
12970
12971
12972
12973
12974
log("*** " & testcasename() & ": PASS: Well formated ButterflyAuthorizationResponseMessage received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_success);
} else {
log("*** " & testcasename() & ": FAIL: Invalid ButterflyAuthorizationResponseMessage received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_error);
}
}
}
[] tc_ac.timeout {
log("*** " & testcasename() & ": INCONC: Expected message not received ***");
f_selfOrClientSyncAndVerdictTestBody(c_tbDone, e_timeout);
}
} // End of 'alt' statement
// Postamble
f_cfHttpDown();
} // End of testcase TC_SECPKI_EA_BFK_AUTH_06_BV
} // End of group bfk_auth_cert_download
} // End of group authorization_with_bfk
} // End of group ea_behavior
group aa_behavior {
group aa_helpers {
function f_verify_http_at_response_from_iut_aa(
in Response p_response,
in octetstring p_private_key,
in Oct16 p_aes_sym_key,
in Oct16 p_authentication_vector,
in Oct32 p_request_hash,
out InnerAtResponse p_authorization_response,
out integer p_result
) runs on ItsPkiHttp {
// Local variables
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var EtsiTs102941Data v_etsi_ts_102941_data;
var Oct16 v_aes_enc_key;
var InnerEcResponse v_inner_ec_response;
log(">>> f_verify_http_at_response_from_iut_aa: p_response= ", p_response);
log(">>> f_verify_http_at_response_from_iut_aa: p_private_key= ", p_private_key);
log(">>> f_verify_http_at_response_from_iut_aa: p_aes_sym_key= ", p_aes_sym_key);
log(">>> f_verify_http_at_response_from_iut_aa: p_authentication_vector= ", p_authentication_vector);
log(">>> f_verify_http_at_response_from_iut_aa: p_request_hash= ", p_request_hash);
p_result := 0;
if (f_verify_pki_response_message(p_private_key, p_aes_sym_key, p_authentication_vector, vc_aaWholeHash, p_response.body.binary_body.ieee1609dot2_data, true, 1, v_etsi_ts_102941_data) == false) {
// Set verdict
p_result := -1;
} else {
log("f_verify_http_at_response_from_iut_aa: Receive ", v_etsi_ts_102941_data);
p_authorization_response := v_etsi_ts_102941_data.content.authorizationResponse;
log(match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ok(substr(p_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_at, -))))); // TODO In TITAN, this is the only way to get the unmatching in log
if (match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ok(substr(p_request_hash, 0, 16), mw_etsiTs103097Certificate(-, mw_toBeSignedCertificate_at, -)))) == false) {
log(match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ko)));
if (match(v_etsi_ts_102941_data.content, mw_authorizationResponse(mw_innerAtResponse_ko)) == false) {
// Set verdict
p_result := -2;
} else {
// Set verdict
p_result := -3;
}
} else {
// Verify AT Certificate signature
if (f_verifyCertificateSignatureWithIssuingCertificate(v_etsi_ts_102941_data.content.authorizationResponse.certificate, vc_aaCertificate) == false) {
// Set verdict
p_result := -4;
}
log("f_verify_http_at_response_from_iut_aa: Well-secured AT certificate received");
}
}
log("<<< f_verify_http_at_response_from_iut_aa: p_result: ", p_result);
} // End of function f_verify_http_at_response_from_iut_aa
} // End of group aa_helpers
group authorization_request {
/**
* @desc Check that the EA/AA is able to decrypt the AuthorizationRequest message using the encryption private key corresponding to the recipient certificate
* Check that the EA/AA is able to verify the inner signature
* Check that the EA/AA is able to verify the request authenticity using the hmacKey verification
* Check that the EA/AA sends the AuthorizationValidationRequest message to the correspondent EA
* <pre>
* Pics Selection: PICS_IUT_AA_ROLE and not PICS_PKI_AUTH_POP
* Initial conditions:
* with {
* the EA/AA in "operational state"
* authorized with the certificate CERT_AA
* containing encryptionKey (AA_ENC_PUB_KEY)
* }
* Expected behaviour:
* ensure that {
* when {
* the IUT receives an EtsiTs103097Data message
* containing content.encryptedData
* containing recipients
* containing the instance of RecipientInfo
* containing certRecipInfo
* containing recipientId
* indicating HashedId8 of the certificate CERT_AA
* and containing encKey
* indicating symmetric key (S_KEY)
* encrypted with the private key correspondent to the AA_ENC_PUB_KEY
* and containing cyphertext (ENC_DATA)
* containing encrypted representation of the EtsiTs103097Data-Signed
* containing content.signedData
* containing hashId
* indicating valid hash algorythm
* and containing signer
* containing self
* and containing tbsData (SIGNED_DATA)
* containing payload
* containing EtsiTs102941Data
* containing content.authorizationRequest
* containing publicKeys.verificationKey (V_KEY)
* and containing hmacKey (HMAC)
* and containing sharedAtRequest
* containing keyTag (KEY_TAG)
* and containing eaId (EA_ID)
* indicating HashedId8 of the known EA certificate
* and containing signature (SIGNATURE)
* }
* then {
* the IUT is able to decrypt the S_KEY
* using the private key
* corresponding to the AA_ENC_PUB_KEY
* and the IUT is able to decrypt the cypthertext ENC_DATA
* using the S_KEY
* and the IUT is able to verify the signature SIGNATURE over the SIGNED_DATA
* using the V_KEY
* and the IUT is able to verify integrity of HMAC and KEY_TAG
* and the IUT sends the AuthorizationValidationRequest message to the EA
* identified by the EA_ID
* }
* }
* </pre>
*
* @see ETSI TS 103 525-2 v2.0.1 SECPKI_AA_AUTH_RCV_01_BV
* @reference ETSI TS 102 941, clause 6.2.3.3.1
*/
testcase TC_SECPKI_AA_AUTH_RCV_01_BV() runs on ItsPkiHttp system ItsPkiHttpSystem {
var Oct32 v_private_key_ec;
var Oct32 v_public_compressed_key_ec;
var integer v_compressed_key_mode_ec;
var InnerEcResponse v_inner_ec_response;
var Oct32 v_private_key_at;
var Oct32 v_public_compressed_key_at;
var integer p_compressed_mode_at;
var Oct32 v_private_enc_key_at;
var Oct32 v_public_compressed_enc_key_at;
var integer v_compressed_enc_mode_at;
var Oct16 v_encrypted_sym_key;
var Oct16 v_aes_sym_key;
var HashedId8 v_aes_sym_key_hashed_id8;
var Oct16 v_authentication_vector;
var Oct12 v_nonce;
var octetstring v_salt;
var Ieee1609Dot2Data v_ieee1609dot2_signed_and_encrypted_data;
var Headers v_headers;
var HttpMessage v_response;
var EtsiTs102941Data v_etsi_ts_102941_data;